Deployment Architecture

Splunk Architecture Guidance on colocation best practices for the Search Head Cluster Deployer.

adnankhan5133
Communicator

Hello,

While this helpful Splunk document ( https://docs.splunk.com/Documentation/Splunk/8.0.4/Deploy/Manageyourdeployment ) provides some insight on which Splunk components a Deployer can be colocated with, I'm looking for advice for my specific situation, where we are anticipating ingestion of less than 200 GB/day .

We are planning to have 2 standalone Enterprise Security Search Heads and 3 Enterprise Search Heads in a cluster. Each SH will run on instances with 16CPU and 64GB RAM. We are planning to colocate the Cluster Master and License Master (8 CPU, 64GB RAM), as well as Deployment Server with the Monitoring Console (12 CPU, 64 GB RAM).

Would it be feasible to colocate the Deployer with the DS + MC or the CM + LM? Or would you recommend that the Deployer be installed on a standalone instance?

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
It is feasible to colocate the deployer on either of the instances you are considering. If you have more than 50 forwarders, however, put the deployer with the CM.
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...